typedef struct _HookTable {
LIST_ENTRY ListEntry;
CHAR chFuncName[128];
DWORD dwOleFuncAddr;
DWORD dwNewFuncAddr;
BYTE byOpCode[15];
UINT uOpLen;
} HookTable, *pHookTable;
namespace CHookManage {
class CHookManageClass {
private:
LIST_ENTRY m_listEntry;
protected:
public:
//实始化
VOID InitiaList();
//清除
VOID ClearList();
//添加HOOK
BOOLEAN AddHookFunc(CHAR* pFuncName, DWORD dwOleFuncAddr, DWORD dwNewFuncAddr, UINT uLen, DWORD* dwFunc);
//HOOK函数
BOOLEAN HookFunc(DWORD dwOleFuncAddr, DWORD dwNewFuncAddr);
//UNHOOK函数
VOID UnHookFunc(DWORD dwOleFuncAddr, PBYTE pOpCode, UINT uLen);
//获取函数地址
DWORD GetFuncAddr(CHAR* pFuncName);
};
//类指向
CHookManageClass* GetThis();
};
CHookManage::CHookManageClass* CHookManage::GetThis()
{
static CHookManage::CHookManageClass _CHookManageClass;
return &_CHookManageClass;
}
VOID CHookManage::CHookManageClass::InitiaList()
{
InitializeListHead(&m_listEntry);
}
VOID CHookManage::CHookManageClass::ClearList()
{
if (!MmIsAddressValid(&m_listEntry)) {
return;
}
while (!IsListEmpty(&m_listEntry)) {
PLIST_ENTRY pListNext = RemoveTailList(&m_listEntry);
pHookTable pHookInfo = CONTAINING_RECORD(pListNext, HookTable, ListEntry);
UnHookFunc(pHookInfo->dwOleFuncAddr, pHookInfo->byOpCode, pHookInfo->uOpLen);
ExFreePool(pHookInfo);
}
}
BOOLEAN CHookManage::CHookManageClass::AddHookFunc(CHAR* pFuncName, DWORD dwOleFuncAddr, DWORD dwNewFuncAddr, UINT uLen, DWORD* dwFunc)
{
BOOLEAN bRet = FALSE;
if ((NULL == pFuncName) || (0 == dwOleFuncAddr) || (0 == dwNewFuncAddr) || (0 == uLen)) {
return bRet;
}
__asm int 3
pHookTable pTempHookTable = (pHookTable)ExAllocatePool(NonPagedPool, sizeof(HookTable));
__try {
RtlZeroMemory(pTempHookTable, sizeof(HookTable));
StringCbCopy(pTempHookTable->chFuncName, 128, pFuncName);
pTempHookTable->dwOleFuncAddr = dwOleFuncAddr;
pTempHookTable->dwNewFuncAddr = dwNewFuncAddr;
pTempHookTable->uOpLen = uLen;
RtlCopyMemory(pTempHookTable->byOpCode, (PVOID)dwOleFuncAddr, uLen);
BYTE byData[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
ULONG uJmpAddr = (dwOleFuncAddr + uLen) - ((DWORD)pTempHookTable->byOpCode + uLen) - 5;
RtlCopyMemory(byData + 1, &uJmpAddr, sizeof(ULONG));
RtlCopyMemory((PVOID)((DWORD)pTempHookTable->byOpCode + uLen), byData, sizeof(byData));
InsertHeadList(&m_listEntry, &pTempHookTable->ListEntry);
bRet = HookFunc(dwOleFuncAddr, dwNewFuncAddr);
*dwFunc = GetFuncAddr(pFuncName);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
bRet = FALSE;
}
return bRet;
}
BOOLEAN CHookManage::CHookManageClass::HookFunc(DWORD dwOleFuncAddr, DWORD dwNewFuncAddr)
{
BOOLEAN bRet = FALSE;
if ((0 == dwOleFuncAddr) || (0 == dwNewFuncAddr)) {
return bRet;
}
__try {
BYTE byData[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
ULONG uJmpAddr = dwNewFuncAddr - dwOleFuncAddr - 5;
RtlCopyMemory(byData + 1, &uJmpAddr, sizeof(ULONG));
CTool::GetThis()->ShutdownWriteProtect();
RtlCopyMemory((PVOID)dwOleFuncAddr, byData, sizeof(byData));
CTool::GetThis()->OpenWriteProtect();
bRet = TRUE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
bRet = FALSE;
}
return bRet;
}
VOID CHookManage::CHookManageClass::UnHookFunc(DWORD dwOleFuncAddr, PBYTE pOpCode, UINT uLen)
{
if ((0 == dwOleFuncAddr) || (NULL == pOpCode) || (0 == uLen)) {
return;
}
CTool::GetThis()->ShutdownWriteProtect();
RtlCopyMemory((PVOID)dwOleFuncAddr, pOpCode, uLen);
CTool::GetThis()->OpenWriteProtect();
}
DWORD CHookManage::CHookManageClass::GetFuncAddr(CHAR* pFuncName)
{
DWORD dwRet = 0;
if (NULL == pFuncName) {
return dwRet;
}
PLIST_ENTRY pListNext = m_listEntry.Flink;
while (pListNext != &m_listEntry) {
pHookTable pHookInfo = CONTAINING_RECORD(pListNext, HookTable, ListEntry);
pListNext = pListNext->Flink;
if (_stricmp(pHookInfo->chFuncName, pFuncName) == 0) {
dwRet = (DWORD)pHookInfo->byOpCode;
break;
}
}
return dwRet;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//使用
CHookManage::GetThis()->InitiaList();
CHookManage::GetThis()->AddHookFunc("NtOpenProcess", CSymbol::GetThis()->GetFuncAddr("NtOpenProcess"), (DWORD)Test_NtOpenProcess, 5, (DWORD*)&g_TestNtOpenProcess);
extern "C"
typedef NTSTATUS(NTAPI* T_NtOpenProcess)(__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId);
T_NtOpenProcess g_TestNtOpenProcess;
NTSTATUS NTAPI Test_NtOpenProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
__asm int 3
return g_TestNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}
//卸载
CHookManage::GetThis()->ClearList();
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
